Facebook, blaming a "temporary misconfiguration," accidentally let spear phishers vacuum up users' personal details so they could pose as friends and family and thus make their come-ons convincing, the company told Forbes on Wednesday.

Forbes staffer David M. Ewalt was alerted to the threat when he himself received two targeted spam messages in the preceding week, both sent to a personal email address registered with his Facebook account.

Both emails appeared to come from someone he interacts with on Facebook. The sender personalized the subject line with the text "for David."

When Ewalt checked the messages' header fields (here are instructions on how to do that), he saw his friend's name in the "From" field, but the originating address wasn't their typical account; instead, it was "a bogus-looking Yahoo! Philippines email," he wrote.